You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier
As it emerges non-internet-connected election systems are actually connected to the internet
Black Hat While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper.
It's the only way to be sure hackers and spies haven't delved in from across the web to screw with your vote.
“Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use them all the time in Minnesota, and you make your vote and it’s easily tabulated.”
The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.
Election security is a hot topic at the Black Hat and DEF CON hacking conferences this year, and a matter of increasing national concern. Two pieces of legislation, one requiring paper ballots be produced for every vote, and another requiring parties to inform the FBI if foreign governments quietly hit them, passed the US House of Representatives last month.
However, Senate majority leader Mitch McConnell (R-KY) has refused to table the legislation in the upper house, saying the bills were partisan. Entirely coincidentally, it has subsequently come out that "Moscow Mitch" accepted thousands of dollars in lobbying cash from election machine manufacturers.
“The problem with election security is politics,” Schneier said. “We have a party in the US that doesn’t favor voting.”
Schneier's comments came on the same day that investigative reporter Kim Zetter revealed that America's election management systems that are not supposed to be connected to the internet long term were, and still are, in fact connected to the internet.
We're told ten security eggheads found that dozens of back-end election systems manufactured by ES&S had been left facing the internet for ages. The systems are designed to receive preliminary voting tallies from ballot machines after the polls close, remaining online for a very short period, and yet many were still lingering around on the 'net to this day. They do not count up the final results, it must be stressed: those totals are obtained by extracting data from the memory cards in the individual voting machines and processing all that offline.
The idea is that, during election night after the polls close, these back-end internet-connected systems receive initial tallies from e-voting boxes via SFTP behind a Cisco firewall, yet they end up being left online for many months after. If someone were to hack into these back-end computers and tamper with them on a crucial election evening, the preliminary counts arriving from the e-ballot boxes – figures that are quickly handed to the media for live analysis – could be intercepted and altered so that when the official numbers come in from the memory cards, there is enough mistrust among the public that no one believes which result is real.
It is, if you'll forgive us, a bit of a stretch: you'd need to pwn the SFTP server after getting through the filters on the Cisco firewall in order to get anywhere inside. Yet, it would be lovely if officials could get on top of their IT equipment, and take offline systems that are supposed to be offline, as America gears up for the crucial 2020 White House race.
The government is here to help
Schneier also spoke of the importance of technically skilled people getting into government, a topic he has raised before.
The technical knowledge of most congresscritters is sadly lacking, Schneier said, and they need good advice. He pointed to a big improvement in the statements issued by Senator Ron Wyden (D-OR) after the ACLU’s Christopher Soghoian joined his team.
Schneier suggested that technologists can do the most good for the country by avoiding running for public office, and instead join regulatory agencies. Legislators may enact major new laws on technology once a decade or so, but federal agencies are much more flexible and can make policy quickly and often.
Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to actREAD MORE
He was blisteringly scathing about the Active Cyber Defense Bill, being considered by Congress. The legislation, introduced by House Representative Tom Graves (R-GA) would legalize “hacking back,” whereby if a company is pwned online, it can legally go after their attacker.
“I’m sure there are some IT managers who would love to break out the attack code but it’s a terrible idea,” he said. “There’s a good reason why we give government a monopoly on violence: vigilante mobs get it wrong.”
He was also dismissive of recent noises from the US and other Five Eyes nations to force technology companies to introduce backdoors into encryption exclusively for law enforcement to use. Such calls have been going on since the 1990s, he pointed out, and so far it had been all talk.
“We’ve seen the Australian law passed, and the UK is moving on it too,” he said. “But in the US we have a very different relationship with government. Americans just don’t trust their governments as much as the UK and Australia.” ®